Privacy watchdog: Some things just aren't personal

Organisations do not have to issue all the information stored in complaint files in order to comply with individuals' personal data access requests, the UK's data protection watchdog has said.

Under the Data Protection Act (DPA) individuals have the right to access all personal data organisations store about them, but generally have no rights to access information held about others. The Information Commissioner's Office (ICO) said organisations only have to issue the information that relates to an individual which allows them to be identified following a 'subject access request' from that individual.

"For information to be personal data it must relate to an individual and allow an individual to be identified from it – not all the information in a file will do this," the ICO said in its guidance (23-page / 472KB PDF).

"However, the context in which information is held, and the way it is used, can have a bearing on whether it relates to an individual and therefore on whether it can be the individual’s personal data. Even if information is used to inform a decision about someone, this does not necessarily mean that the information is personal data," the ICO said.

"Some information in a complaint file will never be personal data, regardless of the context it is held in and the way it is used – even if it is used in a way that affects an individual," it said.

The ICO said that examples of information that may not need to be disclosed to comply with a subject access request include details of policy discussions, such as disciplinary procedures.

The ICO's guidance included advice on how organisations can determine whether opinions stated in complaints files qualify as personal data and said that organisations should be aware that information held in complaints files may hold personal data about more than one person.

The ICO's guidance also advised organisations over how to consider the disclosure of personal data under UK freedom of information (FOI) laws. The Freedom of Information Act (FOIA) and the Freedom of Information (Scotland) Act came into full force on 1 January 2005, giving individuals the right for the first time to see information held by government departments and public bodies, subject to some exceptions.

Under the FOI laws public organisations are generally exempt from disclosing third party personal information, but organisations are still obliged to conduct a 'public interest test' to determine whether it is right for information to be disclosed, the ICO has previously said.

"Third party personal data cannot be disclosed if it would be unfair to do so," the ICO said in its guidance.

"Fairness in the DPA is particularly about fairness to any person the personal data were obtained from – ie, it is primarily about fairness to the data subject.

"However, other factors, such as a person’s seniority, role and the legitimate interests of the public in the disclosure of the personal data must also be taken into account when assessing fairness. In general, it is more likely to be fair to disclose information about an employee acting in a professional capacity than about a private citizen," the ICO's complaints guidance said.

Organisations should maintain records of information with appropriate filing systems in order to comply with requests under the DPA or FOI laws, the ICO said.

"If organisations have good information management procedures in place, this will make it easier for them to deal with either DPA or FOIA access requests," the ICO guidance said.

"For example, reliable indexes, contents pages, descriptions of documents and metadata can make it easier for those dealing with requests to locate personal data, decide whose personal data it is and to make a decision about its disclosure. It may be possible to establish a routine where the same sorts of requests are made to the same sorts of file," it said.